Both in my ubuntu desktop host and virtual machine. I have't login as root for about a month, during which I upgraded the kernel. I found my root password doesn't work anymore. However, by using sudo passwd root, I can easily reset the root password by current user password. How could this happen? I don't have a problem anymore, just curious about the underline reason for this.
Thank you!

4 Answers
4

First of all, sudo executes commands as root, so resetting the actual root password while accessing as root to begin with usually isn't a problem. You already have root access through sudo, so there's little change. (This assumes you don't have a setup that restricts user commands but allows them to sudo passwd ... But that's a configuration issue.)

Secondly, in order to remotely infiltrate a PC through the use of sudo passwd, you would have to a) trick the user into giving you the user password one way or another (which, again, gives sudo access just as well), or b) have physical access to the machine, in which case "remote" probably isn't so true anymore.

So, no, there is no direct security risk. Certain (but uncommon and illogical) configurations may create a loophole there, but that's it.

No, it's not a security problem. If you have the ability to run sudo commands as root, which users generally do in Ubuntu, you're fine. The idea behind sudo is that you can run commands as root, without logging in as root.

Not a security problem. Not unusual. The system is working like it's supposed to. Nothing to see here.

sudo runs commands as a user other than the one currently logged in. Usually you'd use this to run stuff as root, though you can run stuff as other users too.

So sudo passwd root tells the system to change the root password, and to do it as though you were root. The root user is allowed to change the root user's password, so the password changes. The system is working as designed.

The missing piece of this puzzle is that not everyone is allowed to usesudo. In fact, the way that sudo is configured by default, only one group of users is allowed to do that. The user you created when you installed the system is automatically put into that group, but you can create users who aren't. You can even take yourself out of that group if you really want to. You can even set sudo up so that some users (or groups of users) are only allowed to do certain specific things.

That said, it's true that your first user is allowed to do anything as root. This is why sudo asks you for your password. An attacker who gets into your account won't need that the root password to do root-y things, but will still need your password to do them. A lot of attacks don't actually give the attacker your password, so sudo still limits the damage that can be done by those attacks.